disable smbstatus?

[Mark Proehl]

Hi,

what about setting the lock directory (the directory that contains
locking.tdb) to 0700, so that only root can read it? I have not tried
this, but I would be interested if that works.

Mark



> Dear Samba Users and Developers,
> 
> Is it possible to disable the smbstatus command for non-root users? It is
> extremely important on my network that users cannot see other users'
> lockfiles, it is a security risk for other users to know the names of the
> respective files.
> 
> I'm running Samba 3.0.22 (I've also tried most of these procedures on 2.x,
> which I have run for several years) and FreeBSD (6.0), and thus far, I have
> tried the following:
> 
> -in samba.conf:
> status = no
> in the global options.  Does nothing.
> 
> -Changing permissions of /var/db/samba/connections.tdb and
> /var/lock/connections.tdb to 600.  Does nothing except shows an error, but
> annoyingly it still shows the lockfile of the file that's supposed to be
> secret, and all of the active sessions. (I don't care about the sesssions
> being public for other users that much, but the lock files being public
> really bothers me)
> 
> -tried running samba with both the samba.sh script (and without, by directly
> launching smbd and nmbd)
> 
> -in samba.conf:
> locking = no
> On each of the respective shares.  Does nothing.
> 
> Made smbstatus chmod 700, which technically works, but not really because a
> user could just copy the binary from another unix system, or build it
> locally.
> 
> Either way, in which database is this information stored, and how can I be
> assured that as little information is made avaiable to non-root users as
> possible?
> 
> I have been searching through some of the archives to find an answer, but I
> have not yet found anything conclusive.  I sincerely hope that all user
> smbstatus isn't a feature.
> 
> Thank you for your time, and I sincerly hope that some kind of a secure
> solution is possible.
> 
> 
> -Bob